From: Dr. P. V. <pv...@uo...> - 2010-07-03 10:18:59
|
TJ Saunders <tj...@ca...> writes: >> However, the error log is more or less a side problem. My main problem >> is that there are no SSL/TLS connections possible any more with >> mod_tls. >> >> The new release 1.3.3a has been published today and the release notes >> promise a fix of SSL_shutdown() errors. If your assumption is right, >> my mod_tls related problems could be fixed as well. Immediately, I >> build ProFTPD 1.3.3a against OpenSSL 0.9.8n. My test results are >> a bit suprising: >> >> - The SSL_shutdown() errors do still appear in the log files. The >> "TLSOptions EnableDiags" just gives some more information. > > Could you provide that additional EnableDiags information? Since I'm not > able to reproduce the behavior locally, I'm totally dependent on people > experiencing the issue for data. > > The patch for Bug#3419 would still produce the same TLSLog entries; the > functional change is that for SSL_shutdown() return value, mod_tls no > longer considers it a fatal error and closes the session. Instead, > mod_tls just logs the case, and moves on with its business. > The slightly more detailed SSL_shutdown() error log message is: Jul 03 11:37:13 mod_tls/2.4.1[8428]: [msg] sent TLSv1 warning 'close_notify' Alert message (2 bytes) Jul 03 11:37:13 mod_tls/2.4.1[8428]: [info] writing: SSL/TLS alert warning: close notify Jul 03 11:37:14 mod_tls/2.4.1[8428]: panic: SSL_ERROR_SYSCALL, line 4574: Broken pipe Jul 03 11:37:14 mod_tls/2.4.1[8428]: unexpected OpenSSL error, disconnecting Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions attempted: 4 Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions established: 4 Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions renegotiated: 0 Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions resumed: 3 Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions in cache: 1 Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL session cache hits: 0 Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL session cache misses: 0 Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL session cache timeouts: 0 Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL session cache size exceeded: 0 Tls log entries are produced by the configuration statements "TLSLog /var/log/proftpd/proftpd.tlslog" and "TLSOptions EnableDiags". >> - mod_tls connections are possible again, ProFTPD is not hanging >> anymore. > > That's certainly good news. > >> I am happy to have back a working mod_tls enabled ProFTPD of >> the latest release. Nevertheless, I would like to know, if I should >> give an OpenSSL update a try. Latest sub 1.0.x version is 0.9.8o, >> version 1.0.x still needs some time to become more stable. > > I just built OpenSSL-0.9.8o on my Ubuntu 9.04 laptop, and ran the mod_tls > regression tests I have against it, without issue. Caveat emptor: the > regression tests rely on Perl's Net::FTPSSL, with which I can't reproduce > all of the various FTPS client behaviors. But it's enough for me to say > "sure, give OpenSSL-0.9.8o a try in your environment to see what happens". > The changes described between OpenSSL-0.9.8o and OpenSSL-0.9.8l, for > example, don't immediately strike me as likely to cause problems for > mod_tls. Thanks for advice and experiences. I'll test OpenSSL 0.9.8o as soon as I have some time left and I am going to share my experiences in this thread. > >> By the way: ProFTPD 1.3.2e produces the same SSL_shutdown() log >> errors as 1.3.3 and 1.3.3a do. My tests reveal the following mod_tls >> versions: > > Using which FTPS client, exactly? Not all FTPS clients use the same SSL > libraries, and the ways in which the clients disconnect/close data > connections vary quite widely... > > Cheers, > TJ > Most of the time I use lftp 4.0.9. Surprisingly, FileZilla 3.3.3 does not produce this SSL_shutdown() error log with ProFTPD 1.3.3a while lftp still does. Until now ProFTPD 1.3.3a now longer hangs on SSL/TLS connections independant of the used FTP client. Regards, Peter > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Those have most power to hurt us, that we love. > > -Francis Beaumont > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > ProFTPD Users List <pro...@pr...> > Unsubscribe problems? > http://www.proftpd.org/list-unsub.html |